background_fid.jpg
Connecting Alaska to the World And the World to Alaska
Play Live Radio
Next Up:
0:00
0:00
Available On Air Stations

Leaks Reveal Spyware Meant To Track Criminals Targeted Activists Instead

TERRY GROSS, HOST:

This is FRESH AIR. I'm Terry Gross.

Your worst nightmare about how a smartphone can be hacked to spy on its owner became a reality for 37 people around the world whose phones were infected by spyware or whose phones had an attempted penetration. These people included journalists, activists, business executives and two women close to the murdered Saudi journalist Jamal Khashoggi. A forensic analysis revealed that the phones had been penetrated by military-grade spyware called Pegasus, which had been licensed to governments by the private Israeli security company NSO Group. The company says that the Pegasus spyware it sells to governments is intended to collect data from suspected criminals and terrorists. But apparently, the reality is that the spyware was widely misused.

The human rights group Amnesty International and a Paris-based journalism nonprofit called Forbidden Stories shared the forensic analysis of these devices with a consortium of more than 80 reporters from media organizations around the world, including The Washington Post. My guest, Craig Timberg, was one of the two coordinators of the project at the Post and one of its lead reporters. He covers technology for the Post, specializing in privacy, security and surveillance. This year, he's also been reporting on QAnon and the forum TheDonald.win, whose chatter about how to come prepared with weapons and build a gallows at the Capitol on January 6 should've been sufficient warning to the FBI and police about what to expect.

Craig Timberg, welcome back to FRESH AIR. I want to start by saying that the NSO Group refutes a lot of what The Washington Post has reported, and we'll get to those denials a little bit later. But first, let's talk a little bit about your reporting. What is this spyware that we're talking about - Pegasus - capable of doing?

CRAIG TIMBERG: Pegasus can do anything on your smartphone that you can do. It can read all of your communications. It can see where you've been in the world. It can see who you've called. It can see your social media posts. It can grab your passwords and usernames and grab all of your contacts. And in a particularly creepy twist, it can flip on your microphone and your camera without you knowing it and start recording what you're saying and take images of what you're doing.

GROSS: Yeah, I want to refer to two of the people quoted in the article. One is a journalist who said it's a tool that destroys the essential codes of civilization. It comes to your office, your home, your bed, every corner of your existence. This is from a dissident journalist who was targeted.

And another journalist who was targeted talked about how really disturbing it was to know that this device could've been listening or shooting video every time this person went to a bathroom, no matter where the bathroom was.

TIMBERG: It takes a story like this to help people understand how deeply enmeshed these tiny, little computers have gotten into our - in our lives, right? I mean, I cover surveillance and privacy and have been reporting on this for pretty close to a decade. I still carry my iPhone everywhere I go, right? It's in the room with me. It's - you know, I have a thousand different conversations on it any given day. And the reality of that is that every time I do that, I'm exposing not just myself, but everyone I deal with to the possibility of spying, you know, by governments all over the world.

GROSS: Now, I mentioned 37 people who were targeted, but you also had a list of 50,000 people or phones. What is that list of 50,000?

TIMBERG: The list of 50,000, you know, includes some verified surveillance targets. And unfortunately, I have to be careful here about how I depict exactly what all is on there. But you think about it as kind of was the soup bones of the project in that we had this huge number of phone numbers, and we didn't at first know who they belonged to, and we didn't know exactly what we would find when we started running around the world and asking people to turn over their iPhones to us to be analyzed. So, you know, it would be nice to know who every single person on that list was, but even with the extraordinary resources of this project, we just couldn't get through a number that large.

What I can tell you is that when we dug in, we found lots of evidence of interesting things that really gave us insight into the way governments use spyware that we just have never had before.

GROSS: Can you be more specific about that?

TIMBERG: It's worth understanding that NSO Group has a lot of customers, and they're not all the same. And to be clear, as the company has pointed out to us in a hundred different ways and a hundred different times, like, they don't run this system. What they do is they license this system to, you know, intelligence agencies and police departments in 40 different countries around the world. And it's clear that in some of them, there just aren't meaningful guardrails against abuse of this technology.

I just described how powerful it was, right? They're in your device. They can do what you can do and probably some things you don't know how to do on your smartphone or your Android device. And it's clear that in at least some of these countries, this very powerful tool is used to pry into the lives of all sorts of people who never should've been the targets of a government intelligence or law enforcement agency - you know, as you've mentioned, journalists, human rights activists, lawyers, academics, businesspeople. It's clear that on some level, the use of this technology in some countries went way beyond the bounds of what it's supposed to be used for.

GROSS: Did you recognize any of the names on the list of 37?

TIMBERG: On the list of 37, these were largely but not exclusively journalists, and they were based predominantly in other countries. So, no, I didn't know them upfront. But interestingly, I knew some of them by the time it came to write the stories 'cause in some cases, it was reporters working on this very project.

So just imagine you're a journalist from India or Hungary. You're in a country that you know there's a pretty high degree of surveillance going on. You start working on this project that has all these phone numbers and all of - you know, all this effort to sort of figure out who might be on this list, and your own number pops up. And then you turn over your device to some technician who, you know, downloads the data and discovers that not only were you infected by Pegasus, but, I mean, you might've been infected for months, in some cases years, which means every single conversation you've had, every email, every time you've tweeted or done something that you thought was private, like chatting on encrypted channels like Signal, every single one of those things now is in the hands of some government official who you probably will never meet.

GROSS: And everyone you know might be endangered as a result.

TIMBERG: Exactly. I mean, people are endangered, but it's worth being careful with the vocabulary here. And we spent a lot of time at the Post and, you know, with our partner organizations trying to get the language right. I mean, being infected by Pegasus is not like, you know, being shot by a gun or taken out by a drone strike or anything like that. What this is is spying. It's extremely sophisticated spying.

And, you know, another kind of language issue we ran into - a lot of people want to call this bugging or wiretapping. And we all have this understanding, mainly based on police shows, of, you know, guys in white vans clipping alligator clips onto telephone wires and listening to a call. I mean, the - you know, the brilliant show "The Wire" is sort of all built around this concept that police in certain circumstances can listen into the conversations - in that case, drug dealers.

But this kind of technology is like a thousand times more intrusive because it can get all of this retrospective information of what you said and where you've been and who you've said it to and where you said it. And that completeness of information and granularity of information is something that, A, never existed before smartphones became so prominent. And secondly, the laws around this are poorly constructed and poorly enforced in most parts of the world. And so that means that if you're living in a country whose government hasn't built guardrails, and very few have built guardrails, it's really open season with this stuff. It's just - it's simple. It's easy. It's incredibly powerful.

GROSS: Is this why you write that critics say that the widespread use of this spyware has emerged as a leading threat to democracies around the world?

TIMBERG: Exactly. To use the example of someone like me, you know, when I was overseas, I was based in Johannesburg. I used to go in and out of Zimbabwe, you know, all the time. It was at that point the country was closed to foreign correspondents. There was all of this repression and sometimes violence happening. If every time I went in there, every single conversation I had with an opposition politician or a rights group or even an ordinary citizen who I may be interviewing, you know, in their home - if all those were available to the Zimbabwean government - and for the record, I have no reason to believe at that time that was the case. But imagine both the real impact on those people, but also the impact on me attempting to gather news 'cause I can tell you, when you're a working journalist, you worry a little about yourself, but what you really worry about are the people you're interviewing because they are almost in every case much more vulnerable to being jailed, being investigated, being beaten. In Zimbabwe, people's homes would be burned out, all that kind of thing, after journalists interviewed them. So, you know, if you have to live in fear that the tool that you use to communicate with your subjects is actually, you know, a sort of a pipeline back to the authorities, that's incredibly chilling.

But beyond that, you know, if you're a human rights investigator and you're looking into abuses in a community, it's hard to get people to talk. It's hard to get people to share their stories. And some degree of protection of anonymity is essential to that. Again, you - let's say you work for Human Rights Watch. You go into a community, you think your phone is turned into a spying device, how do you do your work? And the next level would be, what if you're a politician who's not in power or, as we found in some cases, a politician who is in power but maybe isn't the actual president of that country? Having these computers spying on us all the time makes it incredibly hard for this whole group of people to do their jobs within a democracy. That means criticizing the ruling power. That means exposing abuses. That means simple newsgathering or even just going about your life.

GROSS: Well, let me reintroduce you here. If you're just joining us, my guest is Craig Timberg, a national reporter covering technology for The Washington Post. We'll talk more after we take a short break. This is FRESH AIR.

(SOUNDBITE OF ALEXANDRE DESPLAT'S "SPY MEETING")

GROSS: This is FRESH AIR. Let's get back to my interview with Washington Post reporter Craig Timberg. He's been investigating how a private Israeli cybersecurity company called NSO Group licensed military-grade spyware called Pegasus to governments that were supposed to use it only for tracking terrorists and criminals, but some of those governments used it to hack the phones of journalists, human rights activists, business executives and others.

What if you turn off your phone?

TIMBERG: So people take all sorts of measures to protect themselves from, you know, the knowledge that your iPhone or your Android device can be turned against you. You know, you can turn off your phone. You can put it in the microwave and, like, walk outside. And people do that. The United States doesn't really have the same kind of problem with this a lot of other countries do. The NSO Group in particular says, oh, no, no. No device in the U.S. can possibly be targeted. No device with a U.S. country code can be targeted. And that may be true. We don't really know. But I can tell you that there are a lot of spyware companies. So, you know, one company's rules are not necessarily another company's rules.

But additionally, let's say you've, you know, put your phone in your freezer and you meet with your other opposition folks, and then you come back and you take your phone out of the freezer and, assuming it's not an ice block at that point, you resume using it. You still are having all this incidental contact. Your device is still logging where you are. It's logging what you're saying in encrypted chats. It's capable of mapping out essentially every relationship in your life. And you could be careful. And I'm careful. Like, I - and I was particularly careful over the last few months to be as safe as I could be. You know, I turned off certain things on my device. I locked down all this stuff. The reality is that I caught myself slipping all the time. It's just - it's extremely hard to navigate your life in 2021 without one of these devices helping you navigate it while, at the same time, tracking you as well.

GROSS: But just technologically, if you turn off your phone, can you still be spied on through your phone?

TIMBERG: Probably. You know, you all probably recall the days when you could, like, pop your battery out of your device. And this was my era when I was a foreign correspondent. You know, I'd go into Zimbabwe, and people would pop their phones out and put them away, and they felt safer, and they were safer. I can't get into my iPhone and remove that battery. I don't think that - I don't think the modern smartphone really is ever all the way off. And so I don't know enough about the coding in Pegasus to say that they can turn your phone on, but I would not be surprised at all if there was spyware that was capable of activating things on your device even when it's off - or when you think of it as off, meaning the screen's blank and it is acting like, you know, a paperweight as opposed to a computer, 'cause these things, on some level, are always on.

GROSS: Tell us about the company that sold this spyware, NSO Group. What do you know about them?

TIMBERG: This is a group that was started by some Israeli friends who were, you know, were trying to make it in the world of internet startups in Israel, which is quite a robust world. But they also had backgrounds, you know, in cybersecurity. And they started this company because they were approached by authorities who - in Israel who, you know, helped them understand that if they could use their technological chops in the right way, that they could help the government do things that were important to it. And to be fair to NSO, a lot of what they do is important. I mean, and I hope that no one who reads our articles discounts the importance of, for example, tracking pedophiles and drug lords and terrorists. I think we all agree that the people in charge of combating those evils have resources at their disposal to allow them to do it.

GROSS: So do any of the people in NSO Group have experience with Israeli military intelligence?

TIMBERG: The NSO Group, like similar companies around the world, is heavily staffed by former spies. And this is true for a lot of cybersecurity companies in the United States. You get through the NSA, and you're ready to leave or retire, and there's lots of opportunities for people who have this kind of skill set, people who know how to build software that hacks into things. And so this whole world - and this is true at the NSO Group, as well - is full of these former military spies who did this work, you know, for their governments for many years.

GROSS: Craig, the NSO has been in touch with you, the company that leases this spyware, with many objections to your reporting, and this has been an ongoing process for you and the other reporters at the Post covering this story. What have their objections been, and how has that affected what you've reported?

TIMBERG: It's been interesting to watch this process play out because in terms of communication with the company, I feel like this was a prepublication phase where, you know, they hired a lawyer, a defamation lawyer in Virginia, and sent aggressive letters to all of us, essentially threatening to sue the Post and its partners and put us on watch, you know, to essentially, you know, make sure we got everything right, which we're supposed to anyway. But it does focus the mind when you get letters like that.

But in the prepublication phase, NSO Group really disputed almost every claim that we made. And they claimed that our forensics didn't work. They claimed that our reporting was just full of, you know, scurrilous lies and exaggerations. They in particular challenged and continue to challenge the idea that the list of 50,000 phone numbers is in any way affiliated with their company.

But the tone began to be different as our stories started getting published around the world. And, you know, a few hours after the first batch of stories ran - you know, about 10, 11 days ago - I got a call from Shalev Hulio, the chief executive of NSO Group, and he wanted to make sure that I knew that - and that we knew - that he still thought our reporting was wrong in five different ways. But he did make a real point of saying, you know, I need to tell you that some of the stuff I've read about journalists and human rights activists really bothers me, and we're going to look into it. We're going to investigate.

And he said, you know, if we investigate, you know, there's a chance we'll find some problems. We've found problems in the past. We've terminated contracts in the past with countries that are problematic, and we're prepared to do that again. Now, that process is ongoing, but the company has shown a willingness to engage with us on the matters we've been raising. And, you know, who knows what that investigation should look like, but it was clear that he was troubled by some of what he had read.

GROSS: What are their objections to what you actually published 'cause I want to represent them in the story, too?

TIMBERG: NSO Group has several kinds of objections. They believe that it's impossible that so many people were potentially surveilled. They argue that - you know, when it comes right down to it, they're kind of making a bad apples argument. In their view, they're doing all of these wonderful things to target, you know, drug lords and pedophiles. And in their view, what we're unearthing - either we've got it wrong, which they say in some cases, or what we're looking at are really extreme kind of misuse cases that don't really shed that much light on the larger - what the company mainly does, which in their minds is fight terrorists and criminals. So, you know, they've objected strongly in a number of cases.

At the same time, though, they also share some revealing facts about their ability to monitor this. And in a way, this goes to the heart of the problem. You know, NSO Group provides a service. Government agencies buy that service or license that service. And then once these systems are installed in - you know, in some secret police, you know, headquarters in some capital in some part of the world, NSO Group doesn't run it anymore - at least that's what they tell us. You know, the operators of the systems, you know, basically do what they want, and if they're caught doing something problematic, they might indeed get their contract pulled.

At the same time, there's no real mechanism to catch anybody. You know, we're talking about operators in a room entering phone numbers, gathering data, but no one's watching them - no one from the company, no one from the U.N., no one with any kind of independent authority to say, oh, no, no, there you went over the line. These hundred queries are fine, but these 20 queries are not fine. There's no real mechanism that would catch abuses as they were happening.

GROSS: I think it's time for another break, so let me reintroduce you. My guest is Washington Post national technology reporter Craig Timberg. We'll talk more about spyware after we take a short break. I'm Terry Gross, and this is FRESH AIR.

(SOUNDBITE OF MUSIC)

GROSS: This is FRESH AIR. I'm Terry Gross. Let's get back to my interview with Craig Timberg. He covers technology for The Washington Post and specializes in privacy, security and surveillance. He's been investigating how the private Israeli spyware company called NSO Group licensed military-grade spyware called Pegasus to governments that were supposed to use it only for tracking terrorists and criminals. But some governments used it to hack the phones of journalists, human rights activists, business executives and others.

So what is the relationship between the Israeli government and Israeli private companies that do espionage and that sell or lease spyware?

TIMBERG: I think we don't really know. A couple of my colleagues looked very carefully at this question about, you know, whether the Israeli government has some sort of access to the data that NSO clients collect. The company says, absolutely, positively not. The U.S. intelligence community and their partners in other parts of the world certainly believe that the Israelis have some sort of access to the data that NSO Group collects. Whether that's periodic or episodic or whatever, we don't know. But it is generally the case that troves of valuable information that are sitting, you know, to be collected tend to get collected fairly often. These intelligence agencies are very sophisticated. Their jobs are serious. And so there's certainly persistent suspicions that some of the data that's collected ends up in the hands of the Israeli government and maybe other governments in the world, too.

GROSS: Does the Israeli government have to give approval before a private Israeli company can license spyware to another government?

TIMBERG: Yes. Israel, like the United States and a number of countries, has what's called export controls. And so when it comes to something like this - it is military-grade spyware - it does have to be approved by the government of Israel. And we're told that, you know, if there are abuses, if there are countries that the government views as particularly problematic customers that they can't sell to those places. And I just want to emphasize again here that this isn't just one company. And it's not just Israel. There's other governments around the world that are more lax in their controls. And so even if the Israelis are doing this perfectly, that doesn't mean that people's iPhones aren't getting hacked.

GROSS: So are there any national or international laws preventing private companies or governments from misusing spyware?

TIMBERG: Lots of governments have laws on the books about wiretapping and require court approval. You know, I'm not an expert on all of them. But I would be willing to guess that almost all of them need updating for the smartphone world and the kinds of surveillance that's happening now. You've seen our U.S. Supreme Court, you know, try to make sense of the ways that these devices collect data and the ways that authorities are allowed to get that data. Something like that needs to happen, probably, in every country in the world. And probably, it needs to be sped up here as well.

In terms of international controls, I don't know of anything meaningful that limits this trade. This is a common problem throughout history, right? A new technology, you know, is thrilling. And then we realize we have all these problems. And then it takes a while for societies and governments to really wrestle with these problems or bring these under control. I think we're, like, at Step 2 of that, right? The purpose of this project was to help the world understand how widely this stuff is used, how invasive it is. And we're hoping that, now, there's more meaningful and informed conversation about what can be done to bring it under control and so that it is really used for the purposes it's designed for.

GROSS: So you, The Washington Post reporters and the larger consortium of journalists investigating this story, along with Amnesty International, were able to identify 37 people whose phones were targeted through this spyware that we've been talking about. Do you know who targeted them, like, which governments, agencies or police units were behind it?

TIMBERG: We don't actually know for sure in any of these cases. We obviously have very strong suspicions. You know, what we had were phone numbers. And from these phone numbers, we were able to identify devices that could then be checked forensically for evidence of infection. But it was an unbelievably painstaking and laborious process to get there. And, you know - and these - you know, you can tell where a victim is by their country code. But, you know, it's not like the list had little flags on it to tell us that a particular government was the one that did the - you know, selected people for surveillance in this way. You know, you look at the data. And certain - you know, obviously, certain things come out and suggest themselves. But we weren't able to get to a point where we were 100% confident - really, in any of the cases - who the surveillor was.

GROSS: So without getting too technical, what have you learned about how this spyware penetrates through a phone's defenses?

TIMBERG: The most alarming thing about this thing we've learned is that you can be infected without having any idea that anything unusual has happened.

GROSS: So you don't even have to, like, click on anything?

TIMBERG: Yeah. Exactly. You know, we've all learned over the past decade that, you know, if you get an email from someone saying they're a Nigerian prince and they've left a bunch of gold bullion in your airplane that maybe you don't want to click on that link. Like, that's a cultural learning we've all absorbed. But this kind of spyware is so sophisticated, they can send it to your device in a variety of ways. And you don't even know that you've gotten an unusual communication. In some cases, this comes through iMessage. There was a time when it was - this stuff was coming in through WhatsApp.

And then once - you know, once it's sort of had its purchase on your device, you know, nothing happens on your screen. You don't get a little ding. You don't get a little skull and crossbones or anything like that. It's just inside your device, and it's taking over. One of the most startling findings was when we looked at timestamps on the phone list and we looked at forensic records on devices we had - you know, people had shared with us, some cases, you know, the timestamp on the list and the forensic records in the device, you know, just a few seconds had passed. You know, someone had entered a number. And, you know, 14 seconds later, there are these malicious processes happening on someone's iPhone, as Pegasus, you know, is cracking open the device. It's very fast. It's very - and it is invisible. And it's impossible for almost anyone to detect.

GROSS: So who needs to worry about having their phone penetrated? Do Americans need to worry about this? Do our listeners need to worry about this?

TIMBERG: This is a slightly complicated answer. I mean, NSO Group says very persistently and in court that Americans' phones can't be surveilled using their technology. And so that means if you've got a, you know, +1 country code, whatever area code you are in the U.S., that you're fine. It also means that if you're a foreigner and you're in the United States, that - you know, that Pegasus supposedly doesn't work.

There's a couple of clear problems with efforts to reassure your listeners. One of them is there are other companies that do this, right? So even if the NSO Group has been completely, completely honest and Americans' phones can't be surveilled, it doesn't mean that some other company isn't doing it. Secondly, you know, lots of us travel. You know, when I used to travel around Africa, I would get a SIM card in every country. I would get a phone number.

We found lots of journalists and aid workers and diplomats, including American diplomats in other countries, who were using local phones, right? You're based in Bahrain. You don't want every call to go through your Verizon phone number in New York. So you pick up a Bahraini SIM card. At that moment, you know, your nationality is invisible to this technology, right? There's no way to know. Even if you're the secret police and you're operating this Pegasus system, there's no way to know that plus-whatever-whatever in Azerbaijan or India, you know, is a U.S. citizen. So the devices have no nationality. And so while there is some protection for Americans, it's very far from perfect protection.

GROSS: Let's take another break here. If you're just joining us, my guest is Craig Timberg, a national reporter covering technology for The Washington Post. We'll talk more about spyware after a break. This is FRESH AIR.

(SOUNDBITE OF MUSIC)

GROSS: This is FRESH AIR. Let's get back to my interview with Washington Post reporter Craig Timberg. He's been investigating how a private Israeli company called NSO Group licensed military-grade spyware called Pegasus to governments that were supposed to use it only for tracking terrorists and criminals. But some governments used it to hack the phones of journalists, human rights activists, business executives and others.

I'm going to change directions a little bit and get to an earlier article you wrote that's seeming very relevant right now. On Tuesday, we heard Capitol Police officers give just incredibly upsetting testimony about what they experienced and how they were attacked on January 6. And you wrote an article about an online forum called thedonald.win that - judging from what you quoted, this forum basically had chats about just about everything that we saw happen in that violent mob. Do you want to talk a little bit about what you found on that forum?

TIMBERG: Yeah. This was just startling and troubling stuff. I mean, I've spent most of the last few years of my life looking at troubling stuff on internet forums, and I'm kind of hard to shock at a certain point. But, man, the openness of the conversation around bringing weapons to D.C., about zip tying the hands of a member of Congress, about shooting or hanging them was - it was really upsetting, frankly. And it was really out in the open.

You know, I got a call from a researcher a few days before the January 6 mob attack on the Capitol, and he said to me, you really need to see this stuff. Like, you need to write about this right now. And so I, you know, teamed up with a colleague of mine. And we found, you know, 48 hours out, signs of everything that then came to pass. And then when it all happened on January 6, it was couple of days after. We found even more stuff as more researchers surfaced all these things.

And these weren't unencrypted chats. You know, these weren't in, you know, dark rooms or whatever. These were happening on the internet in a place that anyone who knew where to look could find it. And it absolutely foreshadowed the events of that day. Maybe we didn't know exactly what was going to happen. But I can tell you we started that day with a very bad feeling.

GROSS: Let me mention a couple of other things that you reported about what was said on this forum, thedonald.win. There was a debate over whether they should build a guillotine or gallows, and it finally got resolved in favor of gallows, which commenters estimated could be built cheaply for just about $200. And it was actually - there was actually a gallows on the National Mall, you know, to hang - well, the chant was, hang Mike Pence. But, you know, who knows what exactly would have happened with those gallows?

There's diagrams that were shared on the site of tunnel systems beneath the Capitol complex and then speculation about how pushing the mob from behind could end in a wall of death that would force police officers to abandon their positions. There was advice on how to attack Capitol Police with flagpoles. Check - that was done. It so predicted what happened. That seemed so shocking at the time. And does it make you wonder, like, why weren't the police and the Capitol Police more prepared? What went wrong?

TIMBERG: It certainly - I mean, I was wondering exactly that.

GROSS: I mean, everybody's wondering that. But you've got these specific details.

TIMBERG: That stuff was just so chilling to read in the days before and in the immediate aftermath - just how much of that was, as you say, foreshadowed by things that were said on thedonald.win and some other forums. I thought a lot about this question of how they could have been so unprepared. And I think the answer is probably multilayered. But it's clear that the people who were making decisions at the time didn't want the same sort of optics around, you know, this particular - what at that point looked like was just a protest that they had around, you know, some of the Black Lives Matter protests in Washington, D.C., and elsewhere over the summer.

There was this real sensitivity about, you know, the clashes with police and, you know, National Guardsmen, you know, patrolling the streets of the nation's capital. And they didn't want - that's not the image they wanted to project of themselves of Washington, D.C., to the world. And it is certainly clear that they were woefully underprepared for what happened. And we know that some authorities, you know, had noticed the same issues that we had noticed and were writing about. But it's - at the same time, the decision-makers clearly didn't take it seriously enough. And this is a persistent problem I've noticed. In the issues I've covered - you know, I cover technology. But I oftentimes joke that I cover technology behaving badly. And, you know, there's just so many things on the Internet that you can kind of keep yourself in a perpetual state of alarm. It's hard to know exactly when to - when a threat has become real enough to kind of leap the bounds and end up in the real world.

But I can tell you, this is one that, from the very beginning, looked like - it looked like violence was very possible, if not probable. But I can also understand how - you know, how easy it is to discount stuff that just appears to be only on the Internet. You know, I think you need to live something like January 6 to kind of understand that these two parts of our world that we think of as separate - the online and the offline - actually are - they're more than merely connected. They interact with each other all the time. And they are often kind of part of a seamless whole.

GROSS: What is it like for you to live in this really dark space, because you're reporting so frequently on things related to technology that become nightmares?

TIMBERG: You know, we have bad days. Everyone I know who has covered this stuff has been, you know, personally threatened at least somewhat, some people much more seriously than I have been. And there's just this kind of, like, gazing into the sewer of humanity quality about the work sometimes. I did some stories a couple of years ago about, you know, YouTube channels that were pushing the idea that Hillary Clinton was, you know, raping and eating children. You know, I can say that. But, man, reading that kind of stuff again and again, these sort of images that get thrown up, it's not fun. I mean, you do really want to look away. And at the same time, you know, if we don't look at it and don't at least write about it, how does the world know that it's a real thing and that it's a serious thing?

This goes back to the January 6 problem that I mentioned a minute ago. Like, people don't want to believe this bad stuff that's on the Internet really is part of, you know, the worlds they live in every day as they go about their lives and work and shop and go to little league games and all that stuff. But it's there. It's there. And, you know, we need to take it seriously. We need to look at it with unblinkered eyes and try to make good decisions about how to deal with it. And that is - I do think that's what - one of the things that failed on January 6 is people didn't really, really in their hearts believe that things could get as bad as they did.

GROSS: Well, Craig Timberg, thank you so much for your reporting. Thank you for being with us on FRESH AIR.

TIMBERG: It's been my pleasure. Thanks for having me.

GROSS: Craig Timberg is a national technology reporter for The Washington Post. After we take a short break, Justin Chang will review the new film "The Green Knight," adapted from a legend about a young adventurer from King Arthur's court. This is FRESH AIR.

(SOUNDBITE OF DAVID NEWMAN AND RAY CHARLES' "HARD TIMES") Transcript provided by NPR, Copyright NPR.